| | DECEMBER 202219CIOReviewLET GO OF YOUR SUPERHERO CAPEAny information security controls, solutions, and processes must consider that the user community does not consist of information security professionals and are usually disinterested about the topicthey understand what you are facing on an ongoing basis; share with them new cyber threats; share with them cyber hints and tips that they can also apply in their daily lives thus making it more relatable.The second principle relates to risk ownership. With our superhero capes on, we enjoy owing risks on behalf of the business. Again, we want to be the ones to save the day and solve all problems. However, we cannot assume to know more about the business and the impact of a risk on the business outcomes than the people working with and honing the business processes on a daily basis. This does not mean that we just pass on all risks to our colleagues; we travel with them. To be successful we need to learn their language, stop using foreign acronyms and be able to interpret and explain risks in an easy to understand manner, not by using fear and uncertainty. Risks must be presented to a representative forum, explaining the impact in business terminology and linking it to business outcomes. We need to provide potential mitigations or remediations with researched benefits, negatives and resource implications whether time, cost or effort, thus empowering the business to make an informed, consulted and collaborative risk management decision in line with the organisation's risk appetite.Thirdly, learn to be agile, flexible and do not underestimate the value of linking the information security strategy to the business strategy and outcomes. It may seem self-explanatory, but often as information security professionals, we once again want to put on our superhero capes and make decisions regarding technology investments and controls on behalf of the business. This is when we risk over protecting the organisation or even under protecting critical areas as we are too focussed on our own agenda of wanting to save the day with the latest and greatest information security tools and technologies.So how do we go about this practically? I am a firm believer in the one page annual strategy or plan. Practical experience has taught me that longer term strategies or plans are difficult to commit to in the modern world built on agility and digital innovation. The threat landscape is too fluid and businesses have to respond faster than ever to ever changing ecosystems. The recent global pandemic has certainly brought this message home to all of us. For example, remote working was still a pipedream for a lot of organisations, something to perhaps consider in the future. The pandemic forced us to relook our perceptions and to make sure the pipedream becomes reality within an extraordinary short period of time. With a long term fixed strategy, one cannot easily pivot with the business strategy and remain aligned.The one page strategy allows dedicated focus on those key risks that must be solved within the immediate future. The information security goals and objectives are clearly articulated aligned to the risks. And lastly, the related initiatives to reach the goals and objectives are defined. On one page one can thus follow the path from risk to goal to initiative. There is not a lot of space on one page, therefore focus is forced on the most important risks and prevents over committing to an endless list of initiatives.The strategy must, however, not be a document that is only referred to at budget time or once a year. It is a critical information and communication tool to support and motivate the activities and actions of the information security discipline. It is therefore important that one holds oneself accountable to key stakeholders and report on progress in various forums. The reporting calls for being honest with oneself and the stakeholders in terms of the challenges and failings whilst celebrating successes and highlighting countermeasure to get back on track.Working with the business in the war against cybercrime is much more effective and impactful than trying to be the solitary superhero. It allows for a unified attack and response to cyber threats that takes into consideration and supports the business outcomes. It is time to put away the superhero cape and journey with the business instead.
< Page 9 | Page 11 >